mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-31 06:16:03 +00:00
Code Issues Releases Wiki Activity
6,933 Commits 23 Branches 113 Tags
6f9e841e74f04cac78da71fd2e8af3f973af94fc
Commit Graph

6933 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Christian Boltz
6f9e841e74 Fix redefinition of _ 
... which unsurprisingly broke using the translations.

This was a regression introduced in 4f51c93f9d

Fixes: https://gitlab.com/apparmor/apparmor/-/issues/387
 2024-04-21 19:02:17 +02:00
John Johansen
a07a0f4428 Fix version, changing from beta0 to alpha0 
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2024-04-18 14:45:31 -07:00
John Johansen
71b869bf16 Update Version on master branch 
Update the match branch version to reflect that it is now develeopment
for the 4.1 release.

Signed-off-by: John Johansen <john.johansen@canonical.com>
 2024-04-18 14:43:18 -07:00
John Johansen
678d6294d7 Merge Add profile for Xorg (X server) 
This is a profile to contain the Xorg X11 server, which still runs as root in many scenarios (not least under [LightDM](https://github.com/canonical/lightdm/issues/18)).

I've tested this under every X display manager available in Debian/Ubuntu, as well as plain `startx(1)`. Both rootful and rootless modes are covered. The hardware I've tried this on predominantly uses Intel integrated graphics, with one Nouveau system represented. If someone has an Nvidia GPU running the proprietary driver, that would be a good data point to double-check, owing to the different driver architecture.

As you can see, I avoided going too far into the weeds enumerating everything the X server needs to run. The general pattern I found was that it needs read access to a lot of things, but write access to relatively few.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1075
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
 2024-04-12 04:03:03 +00:00
John Johansen
93c4c6fb9f Merge regression tests: add mount test for CVE-2016-1585 
Add infrastructure for calling the mount test binary with an fstype
instead of using the default hardcoded ext2 type, and then use that in a
test that exercises CVE-2016-1585, ensuring that mounting a procfs
filesystem isn't permitted when the only mount rule is

  mount options=(rw,make-slave) -> **,

to try to ensure that the generated and enforced policy is restricted to
what is intended.

Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Bug: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1597017

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1211
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
 2024-04-12 03:57:35 +00:00
John Johansen
ab9e6311f3 Merge parser: add network inet mediation documentation to apparmor.d 
This updates the man page for the recent inet mediation patch.

This is an extension of MR 1202, it adds a patch that changes the anonymous ip address anon to be ip address none which is a better fit.

This patch adds documentation of the recent network changes which extended all network rules to support access permissions, and added address and port matching for inet and inet6 families.

Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1213
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
 2024-04-12 03:46:23 +00:00
John Johansen
689df6d3cd switch inet mediation from using anon to none 
inet mediation allows specifying rules for sockets that don't have
a known address, whether because it is unbound or because the
kernel doesn't make the address available.

The current code uses the word anon for anonymous, but that has
proven to be unclear. Switch from using anon to none, to emphasize
that this is a case where there just isn't an address to use as
part of mediation.

Signed-off-by: John Johansen <john.johansen@canonical.com>
 2024-04-11 19:03:43 -07:00
John Johansen
3c43c314dc Merge profiles: add unconfined wike profile 
Wike (deb package/compiled version) does not run in Ubuntu 24.04
due to some interference between apparmor and webkit.

Fixes: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2060810
Signed-off-by: John Johansen <john.johansen@canonical.com>

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1212
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
 2024-04-11 22:59:58 +00:00
John Johansen
a0acf7785d Merge parser: inet conditionals should only generate rules for inet family 
When a family is specified in the network rules, we have to make sure
the conditionals match the family. A netlink rule should not be able
to specify ip and port for local and remote (peer) sockets, for example.

When type or protocol is specified in network rules along with inet
conditionals, we should only generate rules for the families that
support those conditionals.

Fixes: https://gitlab.com/apparmor/apparmor/-/issues/384
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>

Closes #384
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1210
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
 2024-04-11 22:58:59 +00:00
John Johansen
0aa689dbf7 Merge profiles: add unconfined foliate profile 
Foliate is using user namespaces via bwrap. For now add an unconfined
profile to support it.

Fixes: https://github.com/johnfactotum/foliate/issues/1271
Fixes: https://bugs.launchpad.net/bugs/2060767
Signed-off-by: John Johansen <john.johansen@canonical.com>

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1209
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
 2024-04-11 22:51:10 +00:00
Archisman Panigrahi
e7c5796a23 profiles: add unconfined wike profile 
Wike (deb package/compiled version) does not run in Ubuntu 24.04
due to some interference between apparmor and webkit.

Fixes: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2060810
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2024-04-11 15:50:55 -07:00
John Johansen
36d0ceaf19 profiles: add unconfined foliate profile 
Foliate is using user namespaces via bwrap. For now add an unconfined
profile to support it.

Fixes: https://github.com/johnfactotum/foliate/issues/1271
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2024-04-11 15:43:55 -07:00
John Johansen
a1afe3265c Merge Updates to the chromium_browser profile 
This is a retargeting of [my MR in apparmor-profiles](https://gitlab.com/apparmor/apparmor-profiles/-/merge_requests/58).

The most significant change is the addition of a `crashpad_handler` subprofile, to factor out some permissions that the browser proper does not need. The remainder is mostly updates from my normal usage monitoring.

I have recorded below examples of the AppArmor log messages that motivated the updates. They are listed in the order in which they appear in the overall diff:

#### +abstractions/fonts
`Jun 30 16:45:42 testvm kernel: [ 4956.877581] audit: type=1400 audit(1688157942.647:127): apparmor="DENIED" operation="mknod" profile="chromium_browser" name="/home/username/.cache/fontconfig/af531e44-9f34-43fa-a244-e0ea9a6dc5f1-le64.cache-7.TMP-VbjHEy" pid=2136 comm="chromium" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000`

#### +abstractions/mesa
`May 30 21:08:36 testvm kernel: [ 9893.605107] audit: type=1400 audit(1685495316.380:1708): apparmor="ALLOWED" operation="file_lock" profile="chromium_browser" name="/home/username/.cache/mesa_shader_cache/6b/ce9f90908044cb4d4dabc34d81bf24b2fbda0a.tmp" pid=5879 comm="chromiu:disk$0" requested_mask="k" denied_mask="k" fsuid=1000 ouid=1000`

#### +abstractions/vulcan
`May 30 22:35:36 testvm kernel: [1544761.278181] audit: type=1400 audit(1685500536.387:22272): apparmor="DENIED" operation="open" profile="chromium_browser" name="/sys/devices/pci0000:00/0000:00:02.0/drm/card0/gt_min_freq_mhz" pid=963194 comm="chromium" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0`

#### -deny dbus path=/org/freedesktop/hostname1
`Jun 13 19:16:35 image-ubuntu64 kernel: [78978.711877] audit: type=1107 audit(1686698195.982:2339): pid=540 uid=102 auid=4294967295 ses=4294967295 subj=unconfined msg='apparmor="DENIED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/hostname1" interface="org.freedesktop.DBus.Properties" member="GetAll" mask="send" name=":1.369" pid=17766 label="chromium_browser" peer_pid=17975 peer_label="unconfined"`

#### +dbus path=/org/freedesktop/login1
`Jun 12 21:45:36 testvm kernel: [ 1518.318643] audit: type=1107 audit(1686620736.127:67): pid=540 uid=102 auid=4294967295 ses=4294967295 subj=unconfined msg='apparmor="DENIED" operation="dbus_signal"  bus="system" path="/org/freedesktop/login1" interface="org.freedesktop.login1.Manager" member="SessionNew" name=":1.1" mask="receive" pid=3378 label="chromium_browser" peer_pid=565 peer_label="unconfined"`

`Jun 12 21:40:03 testvm kernel: [ 1185.247117] audit: type=1107 audit(1686620403.059:66): pid=540 uid=102 auid=4294967295 ses=4294967295 subj=unconfined msg='apparmor="DENIED" operation="dbus_signal"  bus="system" path="/org/freedesktop/login1" interface="org.freedesktop.login1.Manager" member="SessionRemoved" name=":1.1" mask="receive" pid=3378 label="chromium_browser" peer_pid=565 peer_label="unconfined"`

#### +dbus path=/org/freedesktop/DBus
`Jun  2 00:02:39 image-ubuntu64 dbus-daemon[10113]: apparmor="ALLOWED" operation="dbus_method_call"  bus="session" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="AddMatch" mask="send" name="org.freedesktop.DBus" pid=34637 label="chromium_browser" peer_label="unconfined"`

`Jun  2 00:02:39 image-ubuntu64 dbus-daemon[10113]: apparmor="ALLOWED" operation="dbus_method_call"  bus="session" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="GetNameOwner" mask="send" name="org.freedesktop.DBus" pid=34637 label="chromium_browser" peer_label="unconfined"`

`Jun  2 00:02:39 image-ubuntu64 dbus-daemon[10113]: apparmor="ALLOWED" operation="dbus_method_call"  bus="session" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="Hello" mask="send" name="org.freedesktop.DBus" pid=34637 label="chromium_browser" peer_label="unconfined"`

`Jun  2 00:02:39 image-ubuntu64 dbus-daemon[10113]: apparmor="ALLOWED" operation="dbus_method_call"  bus="session" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="NameHasOwner" mask="send" name="org.freedesktop.DBus" pid=34637 label="chromium_browser" peer_label="unconfined"`

`Jun  2 00:02:39 image-ubuntu64 dbus-daemon[10113]: apparmor="ALLOWED" operation="dbus_method_call"  bus="session" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="RemoveMatch" mask="send" name="org.freedesktop.DBus" pid=34637 label="chromium_browser" peer_label="unconfined"`

`Jun  2 00:02:39 image-ubuntu64 dbus-daemon[10113]: apparmor="ALLOWED" operation="dbus_method_call"  bus="session" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="StartServiceByName" mask="send" name="org.freedesktop.DBus" pid=34637 label="chromium_browser" peer_label="unconfined"`

#### +dbus path=/org/freedesktop/portal/desktop
`Jun  2 00:02:39 testvm dbus-daemon[10113]: apparmor="ALLOWED" operation="dbus_method_call"  bus="session" path="/org/freedesktop/portal/desktop" interface="org.freedesktop.DBus.Properties" member="Get" mask="send" name="org.freedesktop.portal.Desktop" pid=34637 label="chromium_browser" peer_pid=10595 peer_label="unconfined"`

#### +dbus path=/org/freedesktop/Notifications
`Jun  2 00:02:39 testvm dbus-daemon[10113]: apparmor="ALLOWED" operation="dbus_method_call"  bus="session" path="/org/freedesktop/Notifications" interface="org.freedesktop.Notifications" member="GetCapabilities" mask="send" name="org.freedesktop.Notifications" pid=34637 label="chromium_browser" peer_pid=10438 peer_label="unconfined"`

`Jun  2 00:02:39 testvm dbus-daemon[10113]: apparmor="ALLOWED" operation="dbus_method_call"  bus="session" path="/org/freedesktop/Notifications" interface="org.freedesktop.Notifications" member="GetServerInformation" mask="send" name="org.freedesktop.Notifications" pid=34637 label="chromium_browser" peer_pid=10438 peer_label="unconfined"`

#### +dbus path=/org/gtk/vfs/mounttracker
`Jun  2 00:02:39 testvm dbus-daemon[10113]: apparmor="ALLOWED" operation="dbus_method_call"  bus="session" path="/org/gtk/vfs/mounttracker" interface="org.gtk.vfs.MountTracker" member="ListMountableInfo" mask="send" name=":1.9" pid=34637 label="chromium_browser" peer_pid=10331 peer_label="unconfined"`

#### +/etc/fstab
`Jun 19 00:12:34 testvm kernel: [3192175.541293] audit: type=1400 audit(1687147954.193:127452): apparmor="DENIED" operation="open" profile="chromium_browser" name="/etc/fstab" pid=1541844 comm="chromium" requested_mask="r" denied_mask="r" fsuid=1002 ouid=0`

#### +~/.cache/thumbnails
`Jun 28 14:31:34 testvm kernel: [4021314.484388] audit: type=1400 audit(1687977094.903:128621): apparmor="DENIED" operation="open" profile="chromium_browser" name="/home/username/.cache/thumbnails/normal/5ff3c24d6d3b35a6ea92e12c71c487f9.png" pid=1781421 comm="pool-chromium" requested_mask="r" denied_mask="r" fsuid=1002 ouid=1002`

`Jun 28 14:31:34 testvm kernel: [4021314.484975] audit: type=1400 audit(1687977094.903:128622): apparmor="DENIED" operation="open" profile="chromium_browser" name="/home/username/.cache/thumbnails/normal/5ff3c24d6d3b35a6ea92e12c71c487f9.png" pid=1781421 comm="chromium" requested_mask="r" denied_mask="r" fsuid=1002 ouid=1002`

#### -/proc/$PID/fd/
This rule appears to have been used by the crash handler, so I've moved it to the new `crashpad_handler` subprofile. I have not observed the normal browser process(es) attempting this access.

#### +/proc/pressure/{cpu,io,memory}
`May 30 22:44:26 testvm kernel: [1545291.245886] audit: type=1400 audit(1685501066.352:22355): apparmor="DENIED" operation="open" profile="chromium_browser" name="/proc/pressure/cpu" pid=741817 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1002 ouid=0`

`May 30 22:44:26 testvm kernel: [1545291.245903] audit: type=1400 audit(1685501066.352:22356): apparmor="DENIED" operation="open" profile="chromium_browser" name="/proc/pressure/io" pid=741817 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1002 ouid=0`

`May 30 22:44:26 testvm kernel: [1545291.245912] audit: type=1400 audit(1685501066.352:22357): apparmor="DENIED" operation="open" profile="chromium_browser" name="/proc/pressure/memory" pid=741817 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1002 ouid=0`

#### +/proc/$PID/clear_refs
`May 30 18:32:55 testvm kernel: [  552.316554] audit: type=1400 audit(1685485975.161:305): apparmor="ALLOWED" operation="open" profile="chromium_browser" name="/proc/1950/clear_refs" pid=1950 comm="MemoryInfra" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000`

#### +/proc/$PID/mountinfo
`Jun 19 00:12:34 testvm kernel: [3192175.541221] audit: type=1400 audit(1687147954.193:127451): apparmor="DENIED" operation="open" profile="chromium_browser" name="/proc/1541844/mountinfo" pid=1541844 comm="gmain" requested_mask="r" denied_mask="r" fsuid=1002 ouid=1002`

#### +/proc/sys/fs/inotify/max_user_watches
`May 30 18:32:26 testvm kernel: [  523.274479] audit: type=1400 audit(1685485946.109:288): apparmor="ALLOWED" operation="open" profile="chromium_browser" name="/proc/sys/fs/inotify/max_user_watches" pid=1972 comm="chromium" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0`

#### +/sys/devices/system/cpu/{kernel_max,possible,present}
`May 30 18:32:26 testvm kernel: [  523.287063] audit: type=1400 audit(1685485946.125:290): apparmor="ALLOWED" operation="open" profile="chromium_browser" name="/sys/devices/system/cpu/kernel_max" pid=1971 comm="chromium" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0`

`May 30 18:32:26 testvm kernel: [  523.287107] audit: type=1400 audit(1685485946.125:291): apparmor="ALLOWED" operation="open" profile="chromium_browser" name="/sys/devices/system/cpu/possible" pid=1971 comm="chromium" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0`

`May 30 18:32:26 testvm kernel: [  523.287607] audit: type=1400 audit(1685485946.125:297): apparmor="ALLOWED" operation="open" profile="chromium_browser" name="/sys/devices/system/cpu/present" pid=1972 comm="chromium" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0`

#### +/sys/devices/pci[0-9]*/**/{bConfigurationValue,boot_vga,busnum}
`2023-07-03T04:40:49.955727-04:00 testsys kernel: [28353.647821] audit: type=1400 audit(1688373649.948:152): apparmor="DENIED" operation="open" profile="chromium_browser" name="/sys/devices/pci0000:00/0000:00:1d.3/usb5/5-2/bConfigurationValue" pid=5585 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0`

`Jul  4 00:10:52 testvm kernel: [  405.584960] audit: type=1400 audit(1688443852.472:148): apparmor="DENIED" operation="open" profile="chromium_browser" name="/sys/devices/pci0000:00/0000:00:02.0/boot_vga" pid=2057 comm="chromium" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0`

`2023-07-03T04:40:49.955731-04:00 testsys kernel: [28353.647923] audit: type=1400 audit(1688373649.948:153): apparmor="DENIED" operation="open" profile="chromium_browser" name="/sys/devices/pci0000:00/0000:00:1d.3/usb5/5-2/busnum" pid=5585 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0`

#### +/sys/devices/pci[0-9]*/**/{descriptors,devnum}
`2023-07-02T21:29:22.067669-04:00 testsys kernel: [ 2465.760458] audit: type=1400 audit(1688347762.063:71): apparmor="DENIED" operation="open" profile="chromium_browser" name="/sys/devices/pci0000:00/0000:00:1d.0/usb2/descriptors" pid=2276 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0`

`2023-07-02T21:29:22.071708-04:00 testsys kernel: [ 2465.762364] audit: type=1400 audit(1688347762.067:75): apparmor="DENIED" operation="open" profile="chromium_browser" name="/sys/devices/pci0000:00/0000:00:1d.3/usb5/5-2/descriptors" pid=2276 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0`

`2023-07-02T21:29:22.071721-04:00 testsys kernel: [ 2465.763437] audit: type=1400 audit(1688347762.067:78): apparmor="DENIED" operation="open" profile="chromium_browser" name="/sys/devices/pci0000:00/0000:00:1d.7/usb1/1-6/1-6.3/descriptors" pid=2276 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0`

`2023-07-03T04:40:49.955736-04:00 testsys kernel: [28353.648042] audit: type=1400 audit(1688373649.948:154): apparmor="DENIED" operation="open" profile="chromium_browser" name="/sys/devices/pci0000:00/0000:00:1d.3/usb5/5-2/devnum" pid=5585 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0`

#### +/sys/devices/pci[0-9]*/**/{manufacturer,product}
`2023-07-03T04:40:49.955694-04:00 testsys kernel: [28353.647497] audit: type=1400 audit(1688373649.948:150): apparmor="DENIED" operation="open" profile="chromium_browser" name="/sys/devices/pci0000:00/0000:00:1d.3/usb5/5-2/manufacturer" pid=5585 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0`

`2023-07-03T04:40:49.955721-04:00 testsys kernel: [28353.647661] audit: type=1400 audit(1688373649.948:151): apparmor="DENIED" operation="open" profile="chromium_browser" name="/sys/devices/pci0000:00/0000:00:1d.3/usb5/5-2/product" pid=5585 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0`

#### +/sys/devices/pci[0-9]*/**/serial
(lost the log entry for this one)

#### +deny /sys/devices/virtual/dmi/id/*
`May 30 18:38:58 testvm kernel: [  915.363204] audit: type=1400 audit(1685486338.202:390): apparmor="ALLOWED" operation="open" profile="chromium_browser" name="/sys/devices/virtual/dmi/id/sys_vendor" pid=2158 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0`

`May 30 18:38:58 testvm kernel: [  915.363521] audit: type=1400 audit(1685486338.202:391): apparmor="ALLOWED" operation="open" profile="chromium_browser" name="/sys/devices/virtual/dmi/id/product_name" pid=2158 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0`

These sysfs paths yield the make and model of your system, so their access is questionable from a privacy perspective.

#### +{dev,var/run} in shm paths
Can't be replaced with `@{run}` as this does not include `/dev`.

#### +ptrace (read)
`May 31 04:47:35 testvm kernel: [1567080.438164] audit: type=1400 audit(1685522855.581:124669): apparmor="DENIED" operation="ptrace" profile="chromium_browser" pid=1145702 comm="ThreadPoolForeg" requested_mask="read" denied_mask="read" peer="chromium_browser//xdgsettings"`

Figured I'd add read access proactively to `lsb_release` as well. Holding back on adding it to self for now.

#### /etc/@{chromium}/policies/** -> /etc/@{chromium}/**
`May 30 21:25:44 testvm kernel: [10922.020981] audit: type=1400 audit(1685496344.792:2031): apparmor="ALLOWED" operation="open" profile="chromium_browser" name="/etc/chromium/master_preferences" pid=6465 comm="chromium" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0`

#### Note: "~/.pki/... denied by private-files abstraction"
`May 30 21:29:13 testvm kernel: [11130.436441] audit: type=1400 audit(1685496553.206:2105): apparmor="ALLOWED" operation="mkdir" profile="chromium_browser" name="/home/username/.pki/" pid=7344 comm="ThreadPoolForeg" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000`

`May 30 21:29:13 testvm kernel: [11130.437992] audit: type=1400 audit(1685496553.206:2106): apparmor="ALLOWED" operation="mkdir" profile="chromium_browser" name="/home/username/.pki/nssdb/" pid=7344 comm="ThreadPoolForeg" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000`

Something else will need to create these directories.

#### +Widevine
`May 31 04:46:52 testvm kernel: [1567036.849155] audit: type=1400 audit(1685522811.993:124665): apparmor="DENIED" operation="file_mmap" profile="chromium_browser" name="/home/username/.config/chromium/WidevineCdm/4.10.2557.0/_platform_specific/linux_x64/libwidevinecdm.so" pid=1145723 comm="chromium" requested_mask="m" denied_mask="m" fsuid=1002 ouid=1002`

#### +GVfs
`Jun 13 19:16:35 testvm kernel: [78978.537455] audit: type=1400 audit(1686698195.810:2337): apparmor="DENIED" operation="connect" profile="chromium_browser" name="/run/user/1000/gvfsd/socket-EpT3MyPP" pid=17766 comm="chromium" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000`

#### +/lib/libc.so
`May 30 18:02:25 testvm kernel: [  868.340300] audit: type=1400 audit(1685484145.031:80): apparmor="ALLOWED" operation="open" profile="chromium_browser//chromium_browser_sandbox" name="/lib/x86_64-linux-gnu/libc.so.6" pid=2405 comm="chrome-sandbox" requested_mask="r" denied_mask="r" fsuid=0 ouid=0`

`May 30 18:02:25 testvm kernel: [  868.340363] audit: type=1400 audit(1685484145.031:81): apparmor="ALLOWED" operation="file_mmap" profile="chromium_browser//chromium_browser_sandbox" name="/lib/x86_64-linux-gnu/libc.so.6" pid=2405 comm="chrome-sandbox" requested_mask="rm" denied_mask="rm" fsuid=0 ouid=0`

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1208
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
 2024-04-11 22:43:01 +00:00
John Johansen
30a45ba82f Merge Add profiles for the Transmission family of Bittorrent clients 
This covers the various forms of the Transmission BT client. I've tested the `-gtk` one most thoroughly, and run through an ISO download with each of the other three.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1190
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
 2024-04-11 22:41:45 +00:00
Steve Beattie
ff644df776 regression tests: add mount test for CVE-2016-1585 
Add infrastructure for calling the mount test binary with an fstype
instead of using the default hardcoded ext2 type, and then use that in a
test that exercises CVE-2016-1585, ensuring that mounting a procfs
filesystem isn't permitted when the only mount rule is

  mount options=(rw,make-slave) -> **,

to try to ensure that the generated and enforced policy is restricted to
what is intended.

Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Bug: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1597017
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1211
 2024-04-11 11:52:17 -07:00
Georgia Garcia
c1ca0286e8 parser: inet conditionals should only generate rules for inet family 
When a family is specified in the network rules, we have to make sure
the conditionals match the family. A netlink rule should not be able
to specify ip and port for local and remote (peer) sockets, for example.

When type or protocol is specified in network rules along with inet
conditionals, we should only generate rules for the families that
support those conditionals.

Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
 2024-04-10 16:46:08 -03:00
John Johansen
41d4664124 Merge profiles: disable bwrap and unshare profiles by default 
The bwrap and unshare profiles are special profiles in the same
vein as the unconfined profiles but they actual enforce restrictions
on the applications that are launched.

As such they have come to late in the 4.0 dev cycle to consider enabling
by default. Disable them but ship them so users or distros can easily
enable them.

Fixes: https://gitlab.com/apparmor/apparmor/-/issues/382
Signed-off-by: John Johansen <john.johansen@canonical.com>

Closes #382
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1206
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
 2024-04-08 07:15:54 +00:00
John Johansen
77f03f143a profiles: disable bwrap and unshare profiles by default 
The bwrap and unshare profiles are special profiles in the same
vein as the unconfined profiles but they actual enforce restrictions
on the applications that are launched.
As such they have come to late in the 4.0 dev cycle to consider enabling
by default. Disable them but ship them so users or distros can easily
enable them.

Signed-off-by: John Johansen <john.johansen@canonical.com>
 2024-04-07 22:53:12 -07:00
John Johansen
78c56936d5 profiles: update bwrap and unshare profiles 
Undate the bwrap and unshare profiles to allow stacking against system
application profiles so that bewrap and unshare can not be used to
get around system profile restrictions.

Fixes: https://gitlab.com/apparmor/apparmor/-/issues/382
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2024-04-07 22:53:04 -07:00
Daniel Richard G
6211dd36e7 chromium_browser: add owner keywords, DBus/sysfs rule updates 
Also update the last `#include` directive, and fix a path
 2024-04-05 05:16:12 -04:00
Daniel Richard G
ae54ccbe90 chromium_browser: updates from usage monitoring 2024-04-05 02:39:23 -04:00
Daniel Richard G
76f5e88f8c chromium_browser: add subprofile for chrome_crashpad_handler 2024-04-05 02:38:53 -04:00
John Johansen
2d59dc3d9b Merge profiles: Add profile for unshare utility 
This adds an unshare profile to allow it to function on a system
with user namespace restrictions enabled.

The child task of unshare will enter into a profile without capabilities
thus preventing unshare from being able to be used to
arbitrarily by-pass the user namespace restriction.

This profile does prevent applications launch with privilege (eg.
sudo unshare ...) from functioning so it may break some use cases.

Fixes: https://bugs.launchpad.net/ubuntu/+source/pageedit/+bug/2046844
Signed-off-by: John Johansen <john.johansen@canonical.com>

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1204
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
 2024-04-04 05:42:33 +00:00
John Johansen
b6f2a3d9d2 Merge profiles: Add profile for bwrap utility 
This adds a bwrap profile to allow it to function on a system with
user namespace restrictions enabled.

The child task of bwrap will enter into a profile without capabilities
thus preventing bwrap from being able to be used to arbitrarily
by-pass user namespace restrictions.

This profile does prevent applications launch with privilege (eg.
sudo bwrap ...) from functioning so it may break some use cases.

Note: The unpriv_bwrap profile is deliberately stacked against the
bwrap profile due to bwraps uses of no-new-privileges.

Fixes: https://bugs.launchpad.net/ubuntu/+source/pageedit/+bug/2046844
Signed-off-by: John Johansen <john.johansen@canonical.com>

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1205
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
 2024-04-04 05:42:27 +00:00
John Johansen
8fb895eb8c profiles: Add profile for bwrap utility 
This adds a bwrap profile to allow it to function on a system with
user namespace restrictions enabled.

The child task of bwrap will enter into a profile without capabilities
thus preventing bwrap from being able to be used to arbitrarily
by-pass user namespace restrictions.

This profile does prevent applications launch with privilege (eg.
sudo bwrap ...) from functioning so it may break some use cases.

Note: The unpriv_bwrap profile is deliberately stacked against the
bwrap profile due to bwraps uses of no-new-privileges.

Fixes: https://bugs.launchpad.net/ubuntu/+source/pageedit/+bug/2046844
Signed-off-by: John Johansen <john.johansen@canonical.com>
 2024-04-03 21:57:36 -07:00
John Johansen
2dfe6aeec2 Merge profiles: adjust unconfined firefox profile to support mozilla.org download 
The version of tarball version of firefox downloaded from mozilla.org
installs to /opt/firefox/firefox. Support this location so that the
firefox from the tarball works.

Note this does not support running firefox from the users home directory
in this case the user must update the profile accordingly.

Signed-off-by: John Johansen <john.johansen@canonical.com>

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1203
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
 2024-04-04 04:45:29 +00:00
John Johansen
c299dd0d96 profiles: Add profile for unshare utility 
This adds an unshare profile to allow it to function on a system
with user namespace restrictions enabled.

The child task of unshare will enter into a profile without capabilities
thus preventing unshare from being able to arbitrarily being used to
by-pass the user namespace restriction.

This profile does prevent applications launch with privilege (eg.
sudo unshare ...) from functioning so it may break some use cases.

Signed-off-by: John Johansen <john.johansen@canonical.com>
 2024-04-03 21:38:43 -07:00
John Johansen
04df76dc5d profiles: adjust unconfined firefox profile to support mozilla.org download 
The version of tarball version of firefox downloaded from mozilla.org
installs to /opt/firefox/firefox. Support this location so that the
firefox from the tarball works.

Note this does not support running firefox from the users home directory
in this case the user must update the profile accordingly.

Signed-off-by: John Johansen <john.johansen@canonical.com>
 2024-04-03 15:22:57 -07:00
John Johansen
5998a0021a Merge profiles/samba*: allow /etc/gnutls/config & @{HOMEDIRS} 
# abstractions/samba: allow /etc/gnutls/config

Various samba components want to read it. Without it, shares cannot be accessed.

    apparmor="DENIED" operation="open" class="file" profile="nmbd" name="/etc/gnutls/config" pid=23509 comm="nmbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
    apparmor="DENIED" operation="open" class="file" profile="smbd" name="/etc/gnutls/config" pid=23508 comm="smbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
    apparmor="DENIED" operation="open" class="file" profile="samba-rpcd" name="/etc/gnutls/config" pid=24037 comm="rpcd_fsrvp" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
    apparmor="DENIED" operation="open" class="file" profile="samba-rpcd" name="/etc/gnutls/config" pid=24036 comm="rpcd_epmapper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
    apparmor="DENIED" operation="open" class="file" profile="samba-rpcd" name="/etc/gnutls/config" pid=24038 comm="rpcd_lsad" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
    apparmor="DENIED" operation="open" class="file" profile="samba-rpcd" name="/etc/gnutls/config" pid=24041 comm="rpcd_winreg" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
    apparmor="DENIED" operation="open" class="file" profile="samba-rpcd" name="/etc/gnutls/config" pid=24039 comm="rpcd_mdssvc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
    apparmor="DENIED" operation="open" class="file" profile="samba-rpcd-spoolss" name="/etc/gnutls/config" pid=24040 comm="rpcd_spoolss" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
    apparmor="DENIED" operation="open" class="file" profile="samba-rpcd-classic" name="/etc/gnutls/config" pid=24035 comm="rpcd_classic" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

# profiles/apparmor.d/samba-rpcd-classic: allow @{HOMEDIRS}

Give access to @{HOMEDIRS}, just like in usr.sbin.smbd, so that
usershares in /home/ can be accessed.

    apparmor="DENIED" operation="open" class="file" profile="samba-rpcd-classic" name="/home/user/path/to/usershare/" pid=4781 comm="rpcd_classic" requested_mask="r" denied_mask="r" fsuid=0 ouid=1000

Fixes: https://gitlab.com/apparmor/apparmor/-/issues/379
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1200
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
 2024-04-03 08:43:01 +00:00
John Johansen
88ec709aac Merge parser: fix getattr and setattr perm mapping on mqueue rules 
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>

Fixes: https://gitlab.com/apparmor/apparmor/-/issues/377
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/378
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1197
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
 2024-04-03 08:39:08 +00:00
John Johansen
3aa40249cf Merge usr.sbin.sshd: Add new permissions needed on Ubuntu 24.04 
Testing on noble turned these up:

`2024-03-27T00:10:28.929314-04:00 image-ubuntu64 kernel: audit: type=1400 audit(1711512628.920:155): apparmor="DENIED" operation="bind" class="net" profile="/usr/sbin/sshd" pid=1290 comm="sshd" family="unix" sock_type="stream" protocol=0 requested_mask="bind" denied_mask="bind" addr="@63cf34db7fbab75f/bus/sshd/system"`

`2024-03-27T00:41:09.791826-04:00 image-ubuntu64 kernel: audit: type=1107 audit(1711514469.771:333907): pid=703 uid=101 auid=4294967295 ses=4294967295 subj=unconfined msg='apparmor="DENIED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/login1" interface="org.freedesktop.login1.Manager" member="CreateSessionWithPIDFD" mask="send" name="org.freedesktop.login1" pid=4528 label="/usr/sbin/sshd" peer_pid=688 peer_label="unconfined"`

Fixes: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2060100
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1196
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
 2024-04-03 07:42:31 +00:00
John Johansen
01fcce41dc Merge tests: fix inet tests 
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/376
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1192
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
 2024-04-03 07:36:35 +00:00
John Johansen
f334884787 Merge Move pam-related permissions to abstractions/authentication 
... instead of keeping them in the smbd profile.

For details, see c09f58a364 and
https://bugzilla.opensuse.org/show_bug.cgi?id=1220032#c12

Also replace /usr/etc/ with @{etc_ro} to that also /etc/ is covered.

Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1220032#c12
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1191
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
 2024-04-03 07:32:48 +00:00
Georgia Garcia
e1405cba82 parser: add anon ip parser test 
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
 2024-04-02 13:57:18 -03:00
Georgia Garcia
c9d54a021e parser: add network inet mediation documentation to apparmor.d 
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
 2024-04-02 13:57:17 -03:00
Christian Boltz
397e1e1386 Merge Stop calling ldd in aa-genprof and aa-autodep 
In some cases, ldd might obtain information by executing the given
binary (see ldd(1)) - which is not something we should do on potentially
unknown binaries, especially because aa-genprof and aa-autodep (and
therefore also ldd) are often started as root.

Additionally, the ldd result typically listed libraries already covered
by abstractions/base, which makes the ldd call superfluous.

While on it,
- remove all references to ldd
- remove code only used for calling ldd and handling its results
- remove tests checking ldd results, and the fake_ldd script
- adjust a test where fake_ldd had added some libraries
- remove ldd path from logprof.conf [settings]

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1201
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Christian Boltz <apparmor@cboltz.de>
 2024-04-01 19:52:19 +00:00
Christian Boltz
baa8b67248 Merge MountRule: Relaxing constraints on fstype and completing AARE support 
- Before this commit, fstype had to match a known fs. However, having and maintaining the exhaustive list of fstypes proved challenging (see !1195 and !1176). Therefore, we add support for any filesystem name.
 - Completing AARE support for fstype (brace expressions like ext{3,4} are now supported).

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1198
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>
 2024-04-01 16:20:09 +00:00
Maxime Bélair
dad5ee28b3 MountRule: Relaxing constraints on fstype and completing AARE support 
- Before this commit, fstype had to match a known fs. However, having and maintaining the exhaustive list of fstypes proved challenging (see !1195 and !1176). Therefore, we add support for any filesystem name.
 - Completing AARE support for fstype (brace expressions like ext{3,4} are now supported).
 2024-04-01 15:55:08 +02:00
Christian Boltz
e99dda15f4 Stop calling ldd in aa-genprof and aa-autodep 
In some cases, ldd might obtain information by executing the given
binary (see ldd(1)) - which is not something we should do on potentially
unknown binaries, especially because aa-genprof and aa-autodep (and
therefore also ldd) are often started as root.

Additionally, the ldd result typically listed libraries already covered
by abstractions/base, which makes the ldd call superfluous.

While on it,
- remove all references to ldd
- remove code only used for calling ldd and handling its results
- remove tests checking ldd results, and the fake_ldd script
- adjust a test where fake_ldd had added some libraries
- remove ldd path from logprof.conf [settings]
 2024-03-31 18:53:12 +02:00
nl6720
6de5bb656a profiles/apparmor.d/samba-rpcd-classic: allow @{HOMEDIRS} 
Give access to @{HOMEDIRS}, just like in usr.sbin.smbd, so that
usershares in /home/ can be accessed.

    apparmor="DENIED" operation="open" class="file" profile="samba-rpcd-classic" name="/home/user/path/to/usershare/" pid=4781 comm="rpcd_classic" requested_mask="r" denied_mask="r" fsuid=0 ouid=1000
 2024-03-29 18:19:10 +02:00
nl6720
0988feb190 abstractions/samba: allow /etc/gnutls/config 
Various samba components want to read it. Without it, shares cannot be accessed.

    apparmor="DENIED" operation="open" class="file" profile="nmbd" name="/etc/gnutls/config" pid=23509 comm="nmbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
    apparmor="DENIED" operation="open" class="file" profile="smbd" name="/etc/gnutls/config" pid=23508 comm="smbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
    apparmor="DENIED" operation="open" class="file" profile="samba-rpcd" name="/etc/gnutls/config" pid=24037 comm="rpcd_fsrvp" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
    apparmor="DENIED" operation="open" class="file" profile="samba-rpcd" name="/etc/gnutls/config" pid=24036 comm="rpcd_epmapper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
    apparmor="DENIED" operation="open" class="file" profile="samba-rpcd" name="/etc/gnutls/config" pid=24038 comm="rpcd_lsad" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
    apparmor="DENIED" operation="open" class="file" profile="samba-rpcd" name="/etc/gnutls/config" pid=24041 comm="rpcd_winreg" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
    apparmor="DENIED" operation="open" class="file" profile="samba-rpcd" name="/etc/gnutls/config" pid=24039 comm="rpcd_mdssvc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
    apparmor="DENIED" operation="open" class="file" profile="samba-rpcd-spoolss" name="/etc/gnutls/config" pid=24040 comm="rpcd_spoolss" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
    apparmor="DENIED" operation="open" class="file" profile="samba-rpcd-classic" name="/etc/gnutls/config" pid=24035 comm="rpcd_classic" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
 2024-03-29 17:50:25 +02:00
Christian Boltz
5baefb3fa3 Merge Adding userspace support for unix mediation 
Adding userspace support for unix mediation

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1194
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>
 2024-03-29 13:09:06 +00:00
Maxime Bélair
34821d16ce Adding userspace support for unix mediation 2024-03-29 13:09:06 +00:00
Christian Boltz
d23a864c2c Merge Fix several typos 
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1199
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>
 2024-03-29 12:46:55 +00:00
Zygmunt Krynicki
358a8a6a65 fix typo: globally 
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
 2024-03-29 10:57:33 +01:00
Zygmunt Krynicki
f750a8a217 fix typo: parameter 
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
 2024-03-29 10:57:33 +01:00
Zygmunt Krynicki
42e7f5a52a fix typo: exercised 
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
 2024-03-29 10:56:21 +01:00
Zygmunt Krynicki
6fddd31b76 fix typo: aggressive 
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
 2024-03-29 10:52:25 +01:00
Zygmunt Krynicki
d274eb39d9 fix typo: accumulate 
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
 2024-03-29 10:52:24 +01:00
Christian Boltz
b7cf7af7e2 Merge aa-logprof/aa-genprof: Adding support for --allow-all, --output-dir and --no-abstraction 
- Adding support for --output-dir in aa-logprof and aa-genprof, allowing to work on profiles without applying the modified version
 - Adding support for --allow-all in aa-logprof that creates non-interactively 'allow' rules for all logs
 - Adding support for --no-abstraction in aa-logprof and aa-genprof

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1177
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>
 2024-03-28 19:29:08 +00:00